CVE-2025-12890 is a vulnerability identified in the Zephyr RTOS Bluetooth stack that results from improper handling of malformed Connection Request packets. Specifically, when a Connection Request is sent with an interval value set to 1, which is outside the allowed range, and the channel map (chM) is set to 0x7CFFFFFFFF, the system triggers a crash. This crash causes the affected Bluetooth peripheral to become unconnectable, effectively resulting in a denial-of-service (DoS) condition. The vulnerability affects all versions of Zephyr, as indicated by the affectedVersions field. The CVSS v3.1 base score is 6.5, reflecting a medium severity level, with the vector indicating an attack vector of adjacent network (Bluetooth), low attack complexity, no privileges required, no user interaction, unchanged scope, and impact limited to availability. The flaw arises due to inadequate validation and error handling of exceptional or malformed Bluetooth connection parameters. Since Zephyr is an open-source real-time operating system widely used in embedded systems and IoT devices, this vulnerability could impact a broad range of products that rely on Zephyr’s Bluetooth capabilities. No known exploits have been reported in the wild, and no patches or mitigations have been officially released at the time of publication. The vulnerability does not affect confidentiality or integrity but can disrupt device availability, potentially impacting critical embedded applications.

For European organizations, the primary impact of CVE-2025-12890 is the potential denial-of-service of Bluetooth-enabled devices running Zephyr RTOS. This can disrupt operations in sectors relying on embedded and IoT devices such as industrial automation, healthcare, smart cities, and automotive systems. Devices rendered unconnectable may lose critical functionality, leading to operational downtime or safety risks. Since Zephyr is popular in resource-constrained devices, many deployed in Europe could be vulnerable, especially in industries adopting IoT and edge computing. The lack of confidentiality or integrity impact limits data breach risks, but availability loss could affect service continuity and safety-critical systems. The attack requires proximity to the device (Bluetooth range), which somewhat limits remote exploitation but does not eliminate risk in dense urban or industrial environments. The absence of known exploits reduces immediate threat but also means organizations should proactively prepare for potential future exploitation.

Organizations should immediately inventory and identify all devices running Zephyr RTOS with Bluetooth capabilities. Until official patches are released, network segmentation and Bluetooth access controls should be enforced to limit exposure to untrusted devices. Employ Bluetooth monitoring tools to detect anomalous connection requests with suspicious parameters such as interval=1 or unusual channel maps. Device manufacturers and integrators should prioritize updating to patched Zephyr versions once available. Where possible, disable Bluetooth on devices that do not require it or restrict Bluetooth usage to trusted environments. Implement physical security controls to prevent unauthorized proximity attacks. For critical systems, consider fallback communication methods or redundancy to mitigate availability loss. Engage with Zephyr project maintainers and security advisories to stay informed about patches and mitigation guidance.